v018-axios-cdntest @1.0.3

Summary

Package impersonates axios v0.18.0 (index.js carries the genuine axios v0.18.0 | (c) 2018 by Matt Zabriskie header and sets window.axios={} , window.__cdn_package='axios@0.18.0' ) but ships two malicious payloads. (1) index.js appends an IIFE that reads document.cookie and sends it via XMLHttpRequest GET to a hardcoded webhook.site endpoint ( https://webhook.site/ef6e7978-f936-4664-b3ff-296a250e1735?c=<cookies> ), firing on the page load event so any consumer loading this script via CDN or bundle leaks all accessible cookies to the attacker. (2) Sibling xmr-min.js is an in-browser Monero cryptojacker that constructs a Web Worker from a Blob and uses eval on dynamic JS to mine to wallet 44AFFq5kSiGBoZ4NMDwYtN18obc8AemS33DBLWs3H7otXft3XjrpDtQGv7SqSsaBYBb98uNbr2VBBEt7f2wfn3RVGQBEP3A via pool.supportxmr.com:4444 . The package is intended to be loaded through jsdelivr ( cdn.jsdelivr.net/npm/v018-axios-cdntest@.../xmr-min.js ), so any site embedding it leaks user cookies and burns visitors' CPU. The package's own description self-labels these payloads.

Source: amazon-inspector (67d30d2c9939173663f8ba1312b2591d2f86c67657bd5eeff59b19187f50b901)